Team Management
Manage team members in LostChurn — roles and permissions, inviting and removing members, SSO/SAML configuration, and audit logging.
Team management lets you control who has access to your LostChurn account and what they can do. Invite team members, assign roles with granular permissions, and track every action with audit logging. Team management is available on all tiers with varying team member limits.
Team Member Limits by Tier
| Tier | Team Members Included | Additional Members |
|---|---|---|
| Recovery Engine | 3 | Not available |
| Recovery Engine Pro | 10 | $10/month each |
| Revenue Command | 25 | $8/month each |
| Enterprise | Unlimited | Included |
The account owner counts toward the team member limit. A Recovery Engine account supports the owner plus two additional team members.
Roles
LostChurn provides four predefined roles. Each team member is assigned exactly one role.
Owner
The account creator. There is exactly one Owner per account. The Owner has full access to everything and is the only role that can:
- Delete the account
- Transfer ownership to another team member
- Manage billing and subscription
- Access API key management
Admin
Full operational access without billing or account deletion capabilities. Admins can manage team members, configure integrations, and modify all recovery and campaign settings.
Member
Day-to-day operational access. Members can create and edit campaigns, view analytics, and manage customer records, but cannot change account settings or manage other team members.
Viewer
Read-only access. Viewers can see dashboards, analytics, customer records, and campaign results, but cannot create, edit, or delete anything.
Permissions Matrix
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Dashboard & Analytics | ||||
| View dashboard and KPIs | Yes | Yes | Yes | Yes |
| View analytics and reports | Yes | Yes | Yes | Yes |
| Export data (CSV/JSON) | Yes | Yes | Yes | No |
| Campaigns | ||||
| View campaigns | Yes | Yes | Yes | Yes |
| Create campaigns | Yes | Yes | Yes | No |
| Edit campaigns | Yes | Yes | Yes | No |
| Delete campaigns | Yes | Yes | No | No |
| Activate/pause campaigns | Yes | Yes | Yes | No |
| Templates | ||||
| View templates | Yes | Yes | Yes | Yes |
| Create templates | Yes | Yes | Yes | No |
| Edit templates | Yes | Yes | Yes | No |
| Delete templates | Yes | Yes | No | No |
| Customers | ||||
| View customer records | Yes | Yes | Yes | Yes |
| Edit customer records | Yes | Yes | Yes | No |
| Manual campaign enrollment | Yes | Yes | Yes | No |
| Recovery | ||||
| View recovery states | Yes | Yes | Yes | Yes |
| Trigger manual retry | Yes | Yes | Yes | No |
| Override recovery strategy | Yes | Yes | No | No |
| Integrations | ||||
| View connected PSPs | Yes | Yes | Yes | Yes |
| Connect/disconnect PSPs | Yes | Yes | No | No |
| Configure webhooks | Yes | Yes | No | No |
| Settings | ||||
| View account settings | Yes | Yes | Yes | No |
| Edit recovery settings | Yes | Yes | No | No |
| Edit campaign defaults | Yes | Yes | No | No |
| Edit localization | Yes | Yes | No | No |
| Team Management | ||||
| View team members | Yes | Yes | Yes | Yes |
| Invite team members | Yes | Yes | No | No |
| Remove team members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Billing | ||||
| View billing and invoices | Yes | No | No | No |
| Change subscription tier | Yes | No | No | No |
| Manage payment method | Yes | No | No | No |
| Account | ||||
| Delete account | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
| Manage API keys | Yes | No | No | No |
Inviting Team Members
Sending an Invitation
- Navigate to Settings > Team
- Click Invite Member
- Enter the team member's email address
- Select a role (Admin, Member, or Viewer)
- Click Send Invitation
The invitee receives an email with a link to accept the invitation and create their LostChurn account (or link their existing account).
Invitation States
| State | Description | Expiry |
|---|---|---|
| Pending | Invitation sent, not yet accepted | 7 days |
| Accepted | Team member has joined | N/A |
| Expired | Invitation was not accepted in time | After 7 days |
| Revoked | Owner or Admin cancelled the invitation | N/A |
Resending or Revoking Invitations
From the Team settings page:
- Click Resend next to a pending invitation to send a new email (resets the 7-day expiry)
- Click Revoke to cancel a pending invitation
Invitations cannot be sent if your team member limit has been reached. Upgrade your tier or remove existing members to free up a slot.
Removing Team Members
- Navigate to Settings > Team
- Find the team member you want to remove
- Click the ... menu and select Remove
- Confirm the removal in the dialog
When a team member is removed:
- Their access is revoked immediately
- Their active sessions are terminated
- Campaigns and templates they created remain intact
- Their actions remain in the audit log with their name attached
The account Owner cannot be removed. To change the Owner, use the Transfer Ownership option first.
Transferring Ownership
Only the current Owner can transfer ownership:
- Navigate to Settings > Team
- Click Transfer Ownership
- Select the team member who will become the new Owner (must be an Admin)
- Enter your password to confirm
- The selected team member becomes the Owner; you become an Admin
Ownership transfer is immediate and cannot be undone without the new Owner's cooperation.
SSO/SAML (Enterprise Only)
SSO/SAML is available exclusively on the Enterprise tier. Contact your account manager to enable it.
Enterprise customers can configure Single Sign-On using SAML 2.0 to enforce centralized authentication through their identity provider (IdP).
Supported Identity Providers
LostChurn has been tested with the following IdPs:
- Okta
- Azure Active Directory (Entra ID)
- Google Workspace
- OneLogin
- PingFederate
- JumpCloud
Other SAML 2.0-compliant IdPs should work but are not officially supported.
Configuration
- Navigate to Settings > Security > SSO
- Click Configure SAML
- Enter the following from your IdP:
- SSO URL — The IdP's SAML endpoint
- Entity ID — The IdP's entity identifier
- Certificate — The IdP's X.509 signing certificate
- Copy the LostChurn ACS URL and SP Entity ID into your IdP configuration
- Click Test Connection to validate the setup
- Enable Require SSO to enforce SAML authentication for all team members
SAML Attributes
LostChurn expects the following SAML attributes in the assertion:
| Attribute | Required | Description |
|---|---|---|
email | Yes | Team member's email address |
firstName | No | First name (used for display) |
lastName | No | Last name (used for display) |
role | No | LostChurn role (Owner, Admin, Member, Viewer) |
If the role attribute is provided, LostChurn automatically assigns the specified role to new team members who sign in via SSO. If omitted, new SSO users are assigned the Member role by default.
Just-in-Time Provisioning
When SSO is enabled, team members who authenticate through your IdP for the first time are automatically provisioned in LostChurn:
- No invitation is needed
- They receive the role specified in the SAML
roleattribute (or Member by default) - They count toward your team member limit
- JIT provisioning can be disabled if you prefer to manage invitations manually
Enforcing SSO
When Require SSO is enabled:
- All team members must authenticate through the IdP
- Password-based login is disabled for all non-Owner accounts
- The Owner retains password access as a break-glass mechanism
- Existing sessions for non-SSO users are terminated
Audit Logging
Every team action in LostChurn is recorded in the audit log, providing a complete trail of who did what and when.
What Is Logged
| Category | Examples |
|---|---|
| Authentication | Login, logout, failed login attempt, SSO authentication |
| Team changes | Member invited, removed, role changed, ownership transferred |
| Campaign changes | Campaign created, edited, activated, paused, deleted |
| Template changes | Template created, edited, deleted |
| Settings changes | Recovery settings updated, integration connected/disconnected |
| Customer actions | Customer record edited, manual retry triggered, campaign enrollment |
| Data exports | CSV or JSON export initiated |
Viewing the Audit Log
- Navigate to Settings > Security > Audit Log
- Browse the chronological list of events
- Use filters to narrow by:
- Team member — Actions by a specific person
- Category — Authentication, campaigns, settings, etc.
- Date range — Events within a specific time window
Audit Log Entry Format
Each entry includes:
- Timestamp — When the action occurred (in your account's timezone)
- Actor — The team member who performed the action
- Action — What was done (e.g., "Created campaign", "Removed team member")
- Target — The object affected (e.g., campaign name, team member email)
- Details — Additional context (e.g., changed fields, old and new values)
- IP Address — The actor's IP address
Retention
Audit logs are retained based on your tier:
| Tier | Retention Period |
|---|---|
| Recovery Engine | 30 days |
| Recovery Engine Pro | 90 days |
| Revenue Command | 1 year |
| Enterprise | Unlimited (configurable) |
Exporting Audit Logs
Enterprise customers can export audit logs as CSV or JSON:
- Navigate to Settings > Security > Audit Log
- Apply any desired filters
- Click Export
- Select the format (CSV or JSON)
- The export runs as a background job; you will be notified when it is ready
What's Next
- Security Overview — Learn about LostChurn's security practices and certifications
- Usage Limits — Understand team member limits and other tier-based quotas